Google Mistake Reveals Huge Email Security Flaw

Below:

Next story in Tech and gadgets

Until recently, Google, Yahoo, eBay and Amazon were using weak
cryptographic signatures to digitally "sign" their own emails —
and they still would be had a Florida mathematician not
discovered the glaring security hole.

Zachary Harris, a mathematics researcher and consultant in
Jupiter, Fla., told Wired's Kim Zetter that it all began
when he got an email from Google in December 2011 asking him
if he'd be interested in a job.

The problem was that the email might not really have come from
Google. Harris noticed that Google had been using 512-bit
encryption to generate its email signatures, using a protocol
called DomainKeys Identified Mail, or DKIM. And 512-bit DKIM can
be easily cracked.

"A 384-bit key I can factor on my laptop in 24 hours," Harris
told Wired. "The 512-bit keys I can factor in about 72 hours
using
Amazon Web Services for $75."

Harris didn't want the job, but he figured it could be fun if he
spoofed Google's DKIM signature as well. So he forged two email
messages, both of which included a link to his personal website.

One spoofed message looked like it came from Google co-founder
Larry Page. The other looked as if it came from Page's
counterpart Sergey Brin. He sent each spoofed email to the other
man and waited for a response.

The response never came. But two days later, Google boosted its
DKIM encryption to 2,048 bits.